SSL.RSA.Temporary.Key.Security.Bypass

Question

All,

Can anybody here assist me with outbound traffic events. (from a small number of our internal hosts to the internet)

Event: SSL.RSA.Temporary.Key.Security.Bypass

Additional information: http://www.fortinet.com/ids/VID40207

Since a few months a fairly small number of machines generate an awful lot outbound events to specific IP addresses.

We are pretty confident this is not something to be worried about as we have leveraged additional tools to investigate our internal hosts. Still very interested what this can be related to.

As a reference point, in the month of January 3 hosts generated 40825 events.

Following IP addresses are noted for these 3 hosts as the Destination address they are communicating with. (AT&T addresses belonging to CerfNet)

12.130.55.203: 14928 events

12.130.55.186: 5279 events

12.130.55.56: 10519 events

12.130.55.172: 3346 events

12.130.55.187: 3386 events

206.19.56.155: 3347 events

Anybody any idea?

R

Patrickh99 · Accepted Answer

I get the alert from a program called ATT Connect. It is a Webex type program that AT&T uses for their teleconferences that auto-starts and runs in the background on PCs. It does some communication in the background every few minutes to generate the alerts.

I have not figured out how to get rid of the alert other than shutting off the program.

AndrewG · Answer

Same thing here but with IP 12.130.142.57. Nothing w/ virus total. i'm considering scanning for vuls using metaspolit.

Only happening on one single machine, many times a hour.

1 09:46:13 FGT90D3Z140xxxxx deny 192.168.x.x 12.130.142.57 SSL_SSLv2 HTTPS block APP1IPS1 SSL.RSA.Temporary.Key.Security.Bypass

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded